LibreCrypt: Open-Source disk encryption for Windows
The latest version of this document can be found at the LibreCrypt project site
LibreCrypt supports passing parameters via a command line interface.
LibreCrypt.exe /mount /volume <volume> [/freeotfe | /linux] [/readonly] [/drive <drive letter>] [/offset <offset>] [/nocdbatoffset] [/keyfile <keyfile>] [/keyfileisascii] [/keyfilenewline {CRLF|LF|CR}] [/lesfile <LES file>] [/saltlength <saltlength>] [/keyiterations <keyiterations>] [/password <password>] [/silent] [/noexit] [/minimize] [/settings <settings file>] LibreCrypt.exe /dismount {<drive letter>[:] | all} [/force] LibreCrypt.exe /count LibreCrypt.exe /create LibreCrypt.exe /portable {start | on | 1 | stop | off | 0 | toggle} [/silent] LibreCrypt.exe /drivercontrol gui LibreCrypt.exe /drivercontrol count [/type {total | portable | installed}] LibreCrypt.exe /drivercontrol install /filename {<driver filename> | all} [/silent] LibreCrypt.exe /drivercontrol uninstall /drivername {<driver name> | all} [/silent]
LibreCrypt has command line parameters so most operations can be run from the command line or MS Windows shortcuts.
In the LibreCrypt GUI and documentation aimed at new users, easy to understand words like 'open', 'container' and 'lock' are used. In documentation aimed at more advanced users (like this page) standard file system terms are used, as follows:
LibreCrypt Volume | A container |
Volume | A 'Container', perhaps for a legacy app |
Mount a volume | Open a Container |
Dismount a volume | Close a Container |
Flush keys for a volume | Lock a Container |
LibreCrypt was previously known as 'FreeOTFE'. The driver that handles native container volumes ('containers') is still known as the 'FreeOTFE' driver and the name is preserved in some filenames and command line parameters.
"-" may be used instead of "/", if required.
Note: Although there is currently no option to specify which drive letter a volume should be mounted as, this may be set on any given container by selecting "Tools | Change volume/keyfile password/details..."
/count |
Count the number of open containers. Exit code indicates the appropriate number (or error code; see below) |
/create |
Create new container |
/dismount {<drive letter>[:] | all}
|
Dismount indicated drive/all drives |
/drive <drive letter>
|
Drive letter to be used when mounting the volume |
/drivercontrol count [/type {total | portable | installed}] |
Return count of drivers as exit code; total drivers present/count installed in portable mode/count formally installed. If "/type" is not specified, "/type total" is assumed |
/drivercontrol gui |
Display driver control dialog |
/drivercontrol install /filename {<driver filename> | all}
|
Install specified driver, or all drivers in the current working directory |
/drivercontrol uninstall /drivername {<driver name> | all}
|
Uninstall specified driver, or all installed drivers. Note that this takes the driver name, not the driver's filename (Important: Don't attempt to uninstall drivers which are currently in use; e.g. by a mounted volume) |
/force |
When dismounting, force dismount (emergency dismount) |
/freeotfe |
The specified volume is a container. If a volume type (LibreCrypt/Linux) isn't specified, the user will be prompted for this information. |
/keyfile <keyfile>
|
Keyfile to be used when opening a container. Only valid when opening containers |
/keyfileisascii |
Only valid when mounting Linux LUKS volumes. If this flag is specified, the keyfile will be treated as containing ASCII password. Otherwise the keyfile will be treated as containing binary data. Default is to treat as binary. |
/keyfilenewline {CRLF|LF|CR} |
Only valid when mounting Linux LUKS volumes. If /keyfileisascii is specified, the first newline found in the keyfile will be treated as an EOF. This option specifies what constitutes a newline. Default is "LF". |
/keyiterations <keyiterations>
|
The number of key iterations |
/lesfile <LES file>
|
File from which to read Linux encryption settings from. Only valid when mounting non-LUKS Linux volumes |
/linux |
The specified volume is a Linux volume. If a volume type (LibreCrypt/Linux) isn't specified, the user will be prompted for this information. |
/mount |
Mount indicated file/partition |
/minimize |
Minimise main window when run |
/nocdbatoffset |
Indicates there is no CDB stored from the offset specified by "/offset". Only meaningful when both "/offset", "/freeotfe" and "/keyfile" are used. |
/noexit |
Normally, when run with command line parameters, LibreCrypt carries out the requested action and exits. Specifying this parameter will cause LibreCrypt to continue running |
/offset <offset>
|
Use specified offset when mounting. This may be specified using GB/MB/KB units, or with no units for an offset in bytes (e.g. 5GB or 5368709120 for a 5GB offset). Note: If the value used for the offset has has a space in it, it should be surrounded by quotes (e.g. "10 GB" or 10GB are both valid) |
/password <password>
|
The password to be used. It is not recommended that this is used; particularly in shortcuts, as this would involve storing your password in plaintext such that anyone can read it! |
/portable {start | on | 1 | stop | off | 0 | toggle} |
Turn on/off portable mode |
/readonly |
Mount the volume readonly |
/settings |
Use specified file for program settings, instead of normal settings location |
/silent |
Can be used when installing/uninstalling drivers and changing portable mode to suppress dialogs, and also when mounting a volume to prevent the password entry dialog showing |
/saltlength <saltlength> |
The length of the salt (in bits) |
/volume <volume> |
The volume filename/partition to be used. When using a volume file, this should be set to the full path and filename of a volume file. Partitions should be specified in the form: "\Device\HarddiskX\PartitionY", where X is 0 based, while Y starts from 1 to indicate a particular partition, or 0 to indicate the entire disk. Important: If the volume filename has any spaces in it, then it should be enclosed in double quotes ("). |
/SetTestMode <on|off> |
Set or unset Windows 'test mode' to allow unsigned drivers in 64 bit Windows 7 or above |
/SetInstalled |
Sets a flag in the ini file to indicate the app has been installed. Without this flag, LibreCrypt will attempt to install the drivers at startup |
/dev_menu |
Enables an extra 'developer' menu, used for testing |
Note: Under Windows Vista, the "install" and "uninstall" options require LibreCrypt.exe to be explicitly "runas" an account with administrator privileges, if not being executed from a process which has already been escalated; see examples below. The "/portable" will automatically escalate to administrator privileges, if required
When run at the command line, LibreCrypt will terminate with one of the following exit codes:
Exit code | Meaning |
---|---|
0 | Success |
100 | Invalid/unrecognised command line |
101 | Unable to connect to FreeOTFE driver; check driver is installed or portable mode is started |
102 | Unable to mount volume |
103 | Unable to dismount volume |
104 | Unable to start portable mode |
105 | Unable to stop portable mode |
106 | The requested operation requires administrative privileges |
999 | Other error |
Opening a container:
LibreCrypt.exe /mount /volume "C:\My Private Data\my encrypted volume.vol" /freeotfe
Mounting a Linux volume readonly:
LibreCrypt.exe /mount /volume "C:\My Private Data\my encrypted volume.vol" /linux /readonly
Mounting a container partition::
LibreCrypt.exe /mount /volume "\Device\Harddisk0\Partition1" /freeotfe /readonly
Dismount drive "S:":
LibreCrypt.exe /dismount S:
Dismount all volumes, emergency:
LibreCrypt.exe /dismount all /force
Start and stop portable mode:
LibreCrypt.exe /portable start LibreCrypt.exe /portable stop
Installing drivers (except Windows Vista):
LibreCrypt.exe /drivercontrol install /filename FreeOTFE.sys LibreCrypt.exe /drivercontrol install /filename FreeOTFEHashSHA.sys LibreCrypt.exe /drivercontrol install /filename FreeOTFECypherAES_ltc.sys LibreCrypt.exe /drivercontrol install /filename all
Installing drivers (Windows Vista):
runas /user:myAdminAccount LibreCrypt.exe /drivercontrol install /filename FreeOTFE.sys runas /user:myAdminAccount LibreCrypt.exe /drivercontrol install /filename FreeOTFEHashSHA.sys runas /user:myAdminAccount LibreCrypt.exe /drivercontrol install /filename FreeOTFECypherAES_ltc.sys
Uninstalling drivers (except Windows Vista):
LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFE LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFEHashSHA LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFECypherAES LibreCrypt.exe /drivercontrol uninstall /drivername all
Uninstalling drivers (except Windows Vista):
runas /user:myAdminAccount LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFE runas /user:myAdminAccount LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFEHashSHA runas /user:myAdminAccount LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFECypherAES